[secret]
# Whether to encrypt the secret when we generate it. Encrypting the secret
# with the user's pincode means that even if the .totp file is leaked, an
# attacker will not be able to get the secret without knowing the user's
# pincode. The downside is that if a user forgets their pincode, both the
# pincode and the secret will need to be fully re-provisioned.
# Setting to "True" will also turn off scratch-token support.
encrypt_secret = False

# You can allow for some clock drift between the client and server by setting
# the permitted window size. Window size is calculated in 10-second intervals,
# so a window size of 6 allows clock drift of 60 seconds in either direction.
window_size = 3

# First value is the number of times. Second value is the number of seconds.
# So, "3, 30" means "3 falures within 30 seconds"
rate_limit = 3, 30

# How many scratch tokens to generate. Note, that this setting is ignored
# if encrypt_secret is set to True.
scratch_tokens_n = 5

# This identifies the token in the Google Authenticator application. It comes
# very handy when users have more than one token, so set this to something
# descriptive of your environment.
{% if env == "staging" %}
totp_user_mask = $username@stg.fedoraproject.org
{% else %}
totp_user_mask = $username@fedoraproject.org
{% endif %}

# Used by provisioning.cgi
# Where the provisioning CGI is located, with regards to the web root.
action_url = /totpcgiprovision/index.cgi

# Used by provisioning.cgi
# Where provisioning.css and provisioning-print.css are located with regards
# to the web root.
css_root = /totpcgiprovision/

# Used by provisioning.cgi
# Where to find the templates files.
templates_dir = /etc/totpcgi/templates

# Used by provisioning.cgi
# Whether to rely on HTTP auth to handle authentication.
# As we don't get the password, only the username, turning this on
# will automatically set encrypt_secret to false.
#
# Be careful turning this on.
trust_http_auth = True


[pincode]
# Which hashing mechanism to use. Valid entries: md5, bcrypt, sha256, sha512
usehash = sha256

# Whether to compile the DBM database (only meaningful with the file backend)
makedb = True

# The backends are pretty much the same as in totpcgi.conf, except if you
# are using the postgresql secret backend, you need to connect as a user
# that is allowed to modify user records (e.g. totpcgi_admin).
[secret_backend]
;engine = file
;secrets_dir = /etc/totpcgi/totp

; For PostgreSQL backend:
engine = pgsql
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi

[pincode_backend]
engine = pgsql
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi

; For LDAP backend (simple bind auth):
;engine = ldap
;ldap_url    = ldaps://ipa.example.com:636/
;ldap_dn     = uid=$username,cn=users,cn=accounts,dc=example,dc=com
;ldap_cacert = /etc/pki/tls/certs/ipa-ca.crt

[state_backend]
;engine = file
;state_dir = /var/lib/totpcgi

; For PostgreSQL backend:
engine = pgsql
pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
